Chinese Espionage Campaign Targets Southeast Asian Militaries With AppleChris and MemFun
A China-linked cyber espionage campaign targeted military organizations in Southeast Asia, with Palo Alto Networks Unit 42 tracking the activity as CL-STA-1087. The operation reportedly dates back to at least 2020 and focused on high-value intelligence collection rather than broad data theft, including files related to military capabilities, organizational structures, official meeting records, and cooperation with Western armed forces. Researchers said the campaign showed the hallmarks of a patient, state-backed intrusion set, including tailored delivery, defense evasion, stable infrastructure, and custom malware used to maintain long-term access.
The attackers used backdoors identified as AppleChris and MemFun, along with a credential harvester called Getpass. Unit 42 observed suspicious PowerShell activity that slept for six hours before establishing reverse shells to attacker-controlled C2 infrastructure, after which AppleChris variants were deployed across endpoints following lateral movement to preserve persistence and reduce detection. One additional reference briefly mentions Chinese-nexus operators pivoting rapidly against regional targets using conflict-themed lures, but the rest of the material is unrelated newsletter, opinion, podcast, or best-practice content rather than reporting on the same espionage operation.
Related Entities
Threat Actors
Malware
Organizations
Affected Products
Sources
Related Stories
China-Linked Espionage Campaigns Target Regional Government and Military Interests
Security researchers reported multiple **China-linked espionage operations**, but they are not the same incident. One campaign tracked by Palo Alto Networks as **CL-STA-1087** targeted military organizations in Southeast Asia over several years, focusing on intelligence collection related to military capabilities, organizational structures, and cooperation with Western armed forces. The activity used custom malware including the **AppleChris** and **MemFun** backdoors and a **Getpass** credential harvester, alongside stable infrastructure and selective file collection consistent with long-term state-sponsored espionage. A separate report from Zscaler described a **China-nexus** intrusion set targeting entities in the Persian Gulf using conflict-themed lures to deliver **PlugX**. That attack chain relied on a ZIP archive containing a deceptive `.lnk` file, which downloaded a malicious CHM file, used `hh.exe` for extraction, displayed a decoy PDF about Iranian missile strikes, and ultimately installed a multi-stage PlugX payload. The other references are unrelated: one is a technical review of **CVE-2026-25185** in Windows shortcut handling, and another covers malicious Packagist themes shipping trojanized jQuery tied to **FUNNULL** infrastructure rather than the China-linked espionage activity described in the relevant reports.
4 days ago
Chinese Espionage Campaign CL-UNK-1068 Targeting Asian Critical Infrastructure via Web Server Exploitation
Palo Alto Networks Unit 42 reported a **previously undocumented Chinese threat actor**, tracked as **CL-UNK-1068**, conducting a multi-year intrusion campaign (observed since at least 2020) against high-value organizations across **South, Southeast, and East Asia**. Targeted sectors include **aviation, energy, government, law enforcement, pharmaceutical, technology, and telecommunications**, with Unit 42 assessing **moderate-to-high confidence** that the primary objective is **cyber espionage** (while not fully ruling out criminal motives). The assessment cites tool provenance, linguistic artifacts in configurations, and consistent long-term targeting of Asian critical infrastructure as key factors supporting attribution. The activity features exploitation of **internet-facing web servers** to deploy **web shells** and establish persistence across both Windows and Linux environments, using a mix of custom malware, modified open-source tools, and **living-off-the-land binaries (LOLBINs)**. Reported tooling includes **Godzilla** and **ANTSWORD** web shells, the **Xnote** Linux backdoor, and **Fast Reverse Proxy (FRP)** for tunneling/relay; post-compromise behavior includes lateral movement and targeted file theft from Windows web servers (e.g., `c:\inetpub\wwwroot`) focusing on files such as `web.config`, `.aspx`, `.asmx`, `.asax`, and `.dll`, consistent with credential access and follow-on exploitation discovery.
6 days ago
Phishing and Social Engineering Campaigns Leveraging Trusted Channels and China-Linked Tradecraft
Multiple reports highlight **social engineering-driven compromise** rather than exploitation of software vulnerabilities, with attackers relying on trusted-looking communications and infrastructure to bypass defenses. One campaign described by X-Labs uses a “clean” initial business email (often passing `SPF`/`DKIM`/`DMARC`) that contains **no direct malicious link**, instead delivering a **PDF attachment** that leads victims through a multi-stage document chain. The chain leverages reputable cloud services—including **Vercel Blob**—to host intermediary PDFs that redirect to a **Dropbox-impersonation** credential-harvesting page, and then uses a **Telegram bot** as a collection point for stolen credentials, complicating detection and takedown. Separately, researchers reported a targeted operation attributed to **China-linked Mustang Panda** (aka *HoneyMyte*) against government officials and diplomats, using **fake diplomatic briefing documents** themed as U.S./international policy updates to induce execution and install surveillance tooling, including **PlugX** (noted as a DOPLUGS variant). In parallel, U.S. reporting described **HUMINT-style recruitment approaches** tied primarily to China, where adversaries pose as recruiters/consulting firms on email and job platforms to elicit or purchase sensitive information from current/former U.S. government personnel—an espionage pathway that is adjacent to, but distinct from, the phishing/malware activity described in the other reporting.
1 months ago